Good Enough Cryptography

Good Enough Cryptography (gecrypt) is an attempt to create a simple,
passphrase-based file encryption tool founded on sound theory and realistic
assumptions. The program derives its keys using PBKDF2, it encrypts using
AES256-CBC, and it authenticates using HMAC-SHA256. Unlike with some other
encryption programs, authentication is part of the design, rather than an
afterthought.

Good Enough Cryptography aims for strong notions of security: IND-CCA2,
INT-CTXT and INT-PTXT. Criticism and cryptanalysis are welcome.

Note: The file format is in flux. Versions of gecrypt prior to 0.5 are incompatible with the current version.

Latest Version

File format
change: The "encrypted header" approach used in previous releases added
unnecessary complexity to the file format, and it relied on the ability
to generate good, unpredictable random numbers. Today, random number
generator weaknesses are being discovered fairly often, so it might be
wise to avoid relying too much on random numbers.

We now derive the payload authentication and encryption keys directly from
the passphrase and a 256-bit nonce; The approach of storing
randomly-generated payload keys in an encrypted header is no longer used.

In this version of the file format, the only randomness requirement (aside
from the requirement that the passphrase must be unpredictable) is that
the nonce must be unique (for a given passphrase). The nonce is not
secret and it does not need to be "random-looking".

We now also use CBC mode instead of CTR mode, since CBC mode leaks less
information if an IV does happen to get reused. The downside is that the
--fixed-size option now only works with multiples of 16 bytes.

Additionally, the minimum PBKDF2 iteration count (kdf-cost) has been
reduced from 10 to 1. The minimum of 10 iterations was arbitrary and
unnecessary. If people use weak passphrases with gecrypt, 10 iterations
is not enough to provide any significant level of security, and using a
single iteration should help increase performance when the passphrase is
generated by some other automatic process (e.g. authenticated
Diffie-Hellman key exchange).

Archived versions:

Add passphrase prompt. The master key can now be obtained via the terminal.

Add code to detect SHA256 miscalculation bug at runtime. This is the
bug in PyCrypto 2.0.1 that occurs when the data being hashed has length
equal to 55 (mod 64). Since PyCrypto 2.0.1 is the latest version available,
we work around this bug by using hashlib.sha256 (from Python >= 2.5)
instead, if it is available.

Add backward-compatibility support for Python 2.3 (or Python 2.2 with the 'optparse' and 'textwrap' modules borrowed from Python 2.3).

The previous version, 0.2, was not IND-CCA2 secure when the --onepass option was used.

Again, the file format used by this version is incompatible with
the previous version. The new format incrementally applies the MAC to
the ciphertext, so that every chunk of ciphertext can be authenticated.
Note that you still need to check the return code of gecrypt in order
to detect truncated ciphertext.